The U.S. Attorney for the Southern District of Texas issued a news release on April 13 announcing an FBI “operation to copy and remove malicious web shells from hundreds of vulnerable computers…running on-premises versions of Microsoft Exchange Server software…" The announcement coincided with the partial unsealing of a search warrant.
The legal authority the FBI used for this operation was Rule 41 of the Federal Rules of Criminal Procedure, a rule detailing the requirements and process for issuing search warrants.
Yet it’s clear from the unsealed search warrant that the primary purpose of the FBI’s operation here was to remove malicious code surreptitiously; an admirable goal, but a slippery slope when it comes to the legal basis upon which executed.
Rule 41 and the ‘Probable Cause’ Warrant
The Fourth Amendment guarantees a person’s right “to be secure in their…houses, papers, and effects, against unreasonable searches and seizures,” and requires that in order for a search to occur in these private spaces, the government must secure a search warrant, issued based upon “probable cause…particularly describing the place to be searched, and the persons or things to be seized.” Rule 41 basically provides the road map for adhering to these Fourth Amendment requirements, through issuance of that “probable cause” warrant.
Putting aside the question as to how the government establishes “probable cause” when the search warrant doesn’t provide identifying information about the victims whose servers are to be accessed nor the places to be searched, the point is that Rule 41’s purpose is to further investigative evidence gathering, not to disrupt crime nor delete code (which ironically, is evidence in itself).
It’s true that Rule 41 was amended in 2016 to allow remote searches and seizures (Section (b)(2)(6)), but the premise of this amendment was to aid investigations that span across more than five federal districts—not to clean and secure victim computers.
This time the government removed rogue nation-state code; something most agree is dangerous. But what if the next time its Saudi Arabia objecting to their portrayal in a movie? Let’s call this Sony Pictures Part 2, after North Korea’s infamous 2014 attack on Sony Pictures, because its movie “The Interview” portrayed Kim Jong Un in a negative light?
What if this time, the FBI decides that Saudi Arabia’s concerns warrant hacking into private networks to delete all copies of the offending movie, under the premise of stopping a national security threat, a move arguably violative of the 1st Amendment?
Is the FBI Acting Legally?
Having been a member of both the law enforcement and intelligence communities, I’ve seen first hand the motivation that drives people to serve, and the dedication they bring. And while the FBI’s heart was in the right place, heart alone doesn’t suffice.
In this case, the FBI is knowingly causing “the transmission of a program, information, code, or command” to intentionally damage—damage having been defined to include deleting information— “protected computers” (in this case, the victims’ servers), without the authorization of the victims whose systems are being accessed.
In any other context, this would be criminal under Section 1030(a)(5)(A) of the Computer Fraud and Abuse Act (CFAA), which ironically, is one of the very statutes the FBI alleges was violated by the Chinese nation-state group known as Hafnium, at the heart of the threat to Microsoft Exchange Servers. But two wrongs don’t make a right. Not even in 2021.
From a practical perspective, if the motivation was to search computers for evidence, in virtually any other case there would be a point where the additional evidence to be gained would be duplicative, and the marginal return too low, to warrant searching additional computers. And that point would be long before searching over 100 victims’ servers.
Notably, Section 1030(f) of the CFAA states that “this section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency...” But not prohibiting an action is different from “lawfully authoriz[ing]” one. And with no court having interpreted application of 1030(f), we return to the FBI’s need for a route to secure court-authorization, which brings us back to Rule 41.
Interestingly, the FBI used Rule 41 in 2017 when it neutered a virulent botnet called Kelihos. But in that case, the operation involved rerouting victim computers, as opposed to gaining access and “clean[ing]” them. This newest operation is therefore the next step down the slippery slope that law professors, activists, and defense attorneys love to argue when challenging governmental action.
Yet with the damage done in just the past few months by Solar Winds and the Hafnium hacks alone, we clearly need a fresh approach. And the FBI’s solution here is just that. But it’s a solution without a clear legal basis.
So, whether it means amending the CFAA or passing a new law, one thing is clear: Contorting a long-standing federal procedural rule in a way for which 22 Senators raised concerns back in 2016, concerns precisely about using Rule 41 to “clean” computers—surely cannot be the right answer.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Joel Schwarz is director at MBL Technologies and serves as the firm’s privacy and data protection lead. He is an adjunct professor at Albany Law School and previously served as the civil liberties and privacy officer for the National Counterterrorism Center, and was a cybercrime prosecutor for the Justice Department and the New York Attorney General’s Office.